SOC Reporting

Contact us or submit an RFP

Our Expertise

Gain confidence and insight into your internal controls

As cybersecurity incidents increase and regulatory requirements become more restrictive, many organizations find they need to ensure, with a high level of confidence, the effectiveness of their internal controls. SOC reports give you the ability to offer independent third-party assurance that your controls are designed properly and operating effectively — and demonstrate your commitment to the trust and security of your clients. But with multiple SOC reports and types, it can be difficult to know which one best fits your needs.

All SOC reports have two types: Type 1 and Type 2. Type 2 reports involve a longer evaluation period and are generally more rigorous than Type 1, but they may be necessary for organizations that are subject to more stringent compliance requirements. Our AICPA SOC specialists work across all industries and can help you identify which SOC report is right for your specific business and technology environment. From there, we’ll perform readiness assessments to identify control weaknesses and develop recommendations for remediation prior to undergoing the formal SOC examination. Our goal is to streamline the SOC process as much as possible and reduce the costs and difficulties encountered with a project of this magnitude. A SOC report offers more than peace of mind for your vendors, business partners, management, and stakeholders — it’s a competitive advantage.

Finding the right SOC services for you

Our clients range in size and complexity from large publicly traded companies to small technology startups. Drawing from our expertise serving such a diverse client base, we can assist with a variety of compliance frameworks to ensure your organization stays competitive and compliant.

We can help with:

SOC 1
SOC 1 reports generally cover internal controls over financial reporting (ICFR) and the related IT general controls. You should consider a SOC 1 when you’re looking to provide assurance to management, existing clients, and your client’s auditors over controls related to ICFR, such as outsourced accounting functions.
SOC 2
SOC 2 reports examine controls related to security, availability, processing integrity, confidentiality, and privacy. If you’re looking to assure management, as well as existing and prospective clients, about operational subject matter such as these, a SOC 2 report may be the right choice.
SOC 2+
SOC 2+ reports include controls related to security, availability, processing integrity, confidentiality, and privacy. If your organization is also subject to other frameworks or regulations, such as HIPAA, NIST, etc., we can add this into a SOC 2+ report.
SOC 3
A SOC 3 report covers the same controls as SOC 2 — security, availability, processing integrity, confidentiality, and privacy— but it’s intended for public use and consumption.
SOC for cybersecurity
SOC examinations can be conducted for enterprise-wide cybersecurity risk management programs and include cybersecurity controls specifically. These can be used to assure your management, board of directors, audit committee, investors, business partners, and other key stakeholders of the effectiveness of your cybersecurity risk management program. As the SEC and other regulators continue to emphasize the importance of managing cybersecurity risks, the need for a SOC for cybersecurity may increase over time.
SOC for supply chain
Supply chains can be fragile, impacted by global trends, speed-to-market pressures, and other outside forces. As a result, your stakeholders may want information over the system that you use to produce, manufacture, or distribute products and the effectiveness of controls within that system. This examination is also based on the trust services criteria over security, availability, processing integrity, confidentiality, and/or privacy. A SOC for supply chain examination can provide customers or business partners with information they may use to identify, assess, and manage the risks that arise from their relationship with your company, and provide peace of mind for multiple end users.
SOC readiness
Are you ready to undergo a formal SOC examination? After we determine which report you need, we’ll develop a well-rounded understanding of the boundaries of your system and controls in place with interactive, in-person interviews and meetings. From there, we’ll provide defined deliverables with suggested control improvements. Upon completion of our assessment, you and your team will be fully prepared for a SOC examination.

Insights

More insights
Group of cybersecurity professionals going over the basics of SOC examinations.

SOC reporting 101: A key step to strengthen organization controls

Article / 6 min read
Two men sitting discussing reports

Eight steps to writing a system description for your SOC report

Article / 6 min read
Business professional in a wheelchair taking part in a virtual call.

SOC 2 preparation tools: The hidden risks

Article / 3 min read
Professional photo of Angela Appleby in front of a blurred white and blue background.

Angela Appleby named a top CPA in America

In The News / 1 min read
Group of cybersecurity professionals gathered around a computer.

Prioritizing cybersecurity as a holistic leader

Webinar / 1 hour watch
Headshot of Angela Appleby.

SOC reports are growing in the market: What it means for the accounting industry

In The News / 21 min listen
Return to top of section

Case Studies

SEE ALL CASE STUDIES
Image of two people talking
June 01, 2022

SOC 2 report and ISO compliance for global firm

Global advisory firm strengthens security measures and improves security posture, improving client confidence and increasing business.
Case Study / 1 min read
Building stair with sunrise
August 01, 2017

Global company prevents audits and retains business with SOC 1 reporting

Global transaction processing conglomerate reduces client audits and creates proactive SOC reports.
Case Study / 1 min read
Image of people meeting
September 22, 2016

SOC 1 audit for government pension plan

MERS of Michigan proactively completes a SOC 1 Type 2 audit of their defined benefit pension plan system.
Case Study / 2 min read

Client Experience

Your on-the-ground resource for SOC examinations

Our cybersecurity practice has been providing consulting services for more than 30 years. We have the expertise you need to deliver value and peace of mind to your stakeholders. We’re also involved with the AICPA SOC committees, which provides us with an advanced view of upcoming issues and changes and allows us to advocate for our clients when SOC-related professional pronouncements are being updated. And we don’t just talk the talk. We also undergo an annual, third-party-administered SOC 2 examination, for which we’ve continuously received a passing rating, meaning we don’t have any gaps in our security controls — a high standard we’ll pass on to you.

Sarah Pevelek Sarah Pavelek

Partner

+1-248-223-3891

Headshot of Angela Appleby Angela Appleby

Partner

+1-303-846-3332

Photo of Tim Bowing Tim Bowling

Partner

+1-312-980-2927

Headshot of Natalie Pintar. Natalie Pintar

Principal

+1-248-223-3369

Meet Our Team